Your message dated Tue, 27 Dec 2016 15:04:07 +0000 with message-id <[email protected]> and subject line Bug#739590: fixed in refpolicy 2:2.20161023.1-4 has caused the Debian Bug report #739590, regarding selinux-policy-default: ssh & bind9 broken by removal of hotplug script initrc labelling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 739590: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739590 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20140206-1 Severity: important On a jessie system with refpolicy 2:2.20140206-1, and allow-hotplug set on the primary network interface, sshd is left running in udev_t, breaking it thoroughly (and in fact flooding the logs with socket errors until the machine runs out of disk). bind9, which also has a hotplug trigger script, is broken by inability of rndc to access auth keys. My guess as to why: Removal of the debian-specific refpolicy patches in rev 853ebfe7118c3984ff2b53f51af6f5758d222cd7 had the effect of returning the contents of /etc/network/if-{up,down}.d/ from initrc_exec_t to etc_t. As a result, on systems with allow-hotplug on their primary network interfaces the sshd and any other network-using daemons aware of hotplug will be started from udev rather than init, and with an etc_t startup script the usual domain transition doesn't happen. I'll test out restoring the labelling and see if there's more to this. Years ago, thus was Bug#503941 at least as it impacted bind. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-2 ii libselinux1 2.2.2-1 ii libsepol1 2.2-1 ii policycoreutils 2.2.5-1 ii python 2.7.5-5 ii selinux-utils 2.2.2-1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.2-1 ii setools 3.3.8-3 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local' -- debconf-show failed
--- End Message ---
--- Begin Message ---Source: refpolicy Source-Version: 2:2.20161023.1-4 We believe that the bug you reported is fixed in the latest version of refpolicy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russell Coker <[email protected]> (supplier of updated refpolicy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 28 Dec 2016 00:36:11 +1100 Source: refpolicy Binary: selinux-policy-default selinux-policy-mls selinux-policy-src selinux-policy-dev selinux-policy-doc Architecture: source all Version: 2:2.20161023.1-4 Distribution: unstable Urgency: medium Maintainer: Debian SELinux maintainers <[email protected]> Changed-By: Russell Coker <[email protected]> Description: selinux-policy-default - Strict and Targeted variants of the SELinux policy selinux-policy-dev - Headers from the SELinux reference policy for building modules selinux-policy-doc - Documentation for the SELinux reference policy selinux-policy-mls - MLS (Multi Level Security) variant of the SELinux policy selinux-policy-src - Source of the SELinux reference policy for customization Closes: 691283 739590 Changes: refpolicy (2:2.20161023.1-4) unstable; urgency=medium . * Allow mon_t to read sysfs. * Made gpm_getattr_gpmctl also allow getattr on the fifo_file * Allow mount_t to getattr tmpfs_t and rpc_pipefs_t filesystems * Allow systemd_logind_t to change identities of files * Allow systemd_logind_t to read the cgroups files of all login processes * Added monit policy from cgzones <[email protected]>. Closes: #691283 * Allow udev_t to transition to initrc_t for hotplug scripts, and label /etc/network/ip-ip.d/* etc as initrc_exec_t. Policy taken from Wheezy at the recommendation of Devin Carraway <[email protected]> Closes: #739590 Checksums-Sha1: 189499816c07f12a7f22442e8161be26f0156070 2459 refpolicy_2.20161023.1-4.dsc 15e3e677fa6775ad78f6559a20fe4ca1244b473f 92148 refpolicy_2.20161023.1-4.debian.tar.xz 1b9ae1b1eebc7c0d93d4adf5ec16357c4a09cbb6 6808 refpolicy_2.20161023.1-4_amd64.buildinfo 2a5ac782f1bd9fb908fc1b865ff466735b124042 3018858 selinux-policy-default_2.20161023.1-4_all.deb e88b981e8c7319b4439a0a6eaebe8d242b6fd66d 463366 selinux-policy-dev_2.20161023.1-4_all.deb 6ee154ade4cbc5708884606a098a4120037a0f37 443532 selinux-policy-doc_2.20161023.1-4_all.deb a846d0986bbb4a86ff1c39739d13496cb0a9e407 3053374 selinux-policy-mls_2.20161023.1-4_all.deb 3af0da62533e5fe3fd44edfc887377b17b766453 1255246 selinux-policy-src_2.20161023.1-4_all.deb Checksums-Sha256: 83edada4e484e9c15e7459fe3296e066734a54ed9866aa081b5588a4652a228f 2459 refpolicy_2.20161023.1-4.dsc acc91b5f643404328df9a4fcfab34930706b62891190943748ed54c770958404 92148 refpolicy_2.20161023.1-4.debian.tar.xz 4d116529c0f503fa30fbef09d413c46ede3d0794c91097fdd651929b5f1dd9d1 6808 refpolicy_2.20161023.1-4_amd64.buildinfo bd8727a26b5e563fdc6453e6a3de0e5eae16815b8a404f226163e2e7b4b96132 3018858 selinux-policy-default_2.20161023.1-4_all.deb 044f336c879e4f41c80dae8bc5f32f96b6726384aef74b7010d6b604f42af433 463366 selinux-policy-dev_2.20161023.1-4_all.deb c4299e8222d1ef0fdef2920096aa4af0d7fea2cb3dd75362f42237060098d076 443532 selinux-policy-doc_2.20161023.1-4_all.deb 2566c29480be009324402cecff33a23b0a0591d05e466036fa2bbc359d7e3cbd 3053374 selinux-policy-mls_2.20161023.1-4_all.deb a49d705eda1260dd33026997a9465fcc33de932afa22122cb535cfd4f29c440a 1255246 selinux-policy-src_2.20161023.1-4_all.deb Files: 85af5d7068806f3d768dfd4189938024 2459 admin optional refpolicy_2.20161023.1-4.dsc 5522f1f67806dab02aa4578a79348542 92148 admin optional refpolicy_2.20161023.1-4.debian.tar.xz 6dbebf637ed47e8386494aa65967cf2b 6808 admin optional refpolicy_2.20161023.1-4_amd64.buildinfo b861e3432a4a42c9a5c5f89e52d7c0fa 3018858 admin optional selinux-policy-default_2.20161023.1-4_all.deb 56dcb8f22a94d4c783ab11c81143a802 463366 admin optional selinux-policy-dev_2.20161023.1-4_all.deb 48aa236e31785e11440132dcc2528a5e 443532 doc optional selinux-policy-doc_2.20161023.1-4_all.deb 00696b51436912f8b8d49448a10c99c3 3053374 admin extra selinux-policy-mls_2.20161023.1-4_all.deb c32f304a057b35342538e8191c3fc803 1255246 admin optional selinux-policy-src_2.20161023.1-4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAlhibz8ACgkQ0UHNMPxL j3klZRAAjCxJoLw163bF8WbqvfenGwYmbUrEWJ49EvcWLyn/o0iCcYttI3mWVB1f ODdOCc82UdhpLzy8ImpzyUzkZKOW/o9uBIoSRkmBQVbrmLylbUCTbR2i3ySNcDvG bYeU9D4tISK3zh5wBPofcluNkR8s+DdYBwEGASFh4drrODXDIzyN/JzrrKcB6uzE WPk5O/q7LOd5Rr/1oCkTFTIptFjQyrG4iz1R8MhplncAdyVuvA9mqgx8vBqbm71R zswNK7vtRSQEaaJ5rwczu3n9C5k8h3Hk2UHXHQjWsNfMtT7zamkocVQx1YKXJKLt 8uQVlZKjSWKESUvVeFJck5zE6sQs4kJJ/3JM5S9YzOZpiqXzJDqT6fTgT6qdFqLz 4CoZHZk9j8ejnXy6i9XWqRwaPFMpnBn4VN4wNMO1lcdzWB1mH/icBeZQk3nb4hGl N4LKScL0DpGb6d90Q7Zho+4GjTa7CcQgRTxY4BIaUM9xQ28uSIo6VshkVlrsq+7p nTt2qvOtxLaJkMb4LEs55EOkNxp5O6lhZi7xuhak3xj7dVHFJsTZFoae1+Wggs2v yYldcX161xPyTxDP6JseBLDgIVKSEe550NmZGCBQFwT5ZG47AQnMgoTfZNLnEc6Z 8ZM5ZBXeRZ6zlTMkfjofwSDYTtms7T9Iem167zKDR54qBE/TUN8= =sZHm -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
